CN100525300C - Communication between a private network and a roaming mobile terminal - Google Patents

Communication between a private network and a roaming mobile terminal Download PDF

Info

Publication number
CN100525300C
CN100525300C CN 200480007203 CN200480007203A CN100525300C CN 100525300 C CN100525300 C CN 100525300C CN 200480007203 CN200480007203 CN 200480007203 CN 200480007203 A CN200480007203 A CN 200480007203A CN 100525300 C CN100525300 C CN 100525300C
Authority
CN
China
Prior art keywords
gateway
new
mobile terminal
communication
signaling message
Prior art date
Application number
CN 200480007203
Other languages
Chinese (zh)
Other versions
CN1762140A (en
Inventor
亚历克西斯·奥利弗罗
伊斯梅尔·黑里
克里斯托佩·雅内托
米格尔·卡塔利娜
Original Assignee
摩托罗拉公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to EP03290770.1 priority Critical
Priority to EP20030290770 priority patent/EP1463257B1/en
Application filed by 摩托罗拉公司 filed Critical 摩托罗拉公司
Publication of CN1762140A publication Critical patent/CN1762140A/en
Application granted granted Critical
Publication of CN100525300C publication Critical patent/CN100525300C/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L29/00Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/00 - H04L27/00
    • H04L29/02Communication control; Communication processing
    • H04L29/06Communication control; Communication processing characterised by a protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data session or connection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements

Abstract

本发明公开专用网络(1)和漫游移动终端(4)之间的通信,专用网络(1)包括用于移动终端的归属代理(5)和网关(2、3),通信通过网关(2、3)传递并且其提供了关于专用网络(1)的安全保护。 The present invention discloses a private network (1) and a roaming mobile terminal (4) a communication between a private network (1) comprises a home agent for a mobile terminal (5) and the gateway (2, 3), communication through the gateway (2, 3) pass and which provides security on a private network (1). 通信的协议包括安全关联组,每个安全关联组包括移动终端(4)和网关(2、3)之间的关于入站通信的安全关联和另一个关于出站通信的安全关联。 Protocol communication including security association groups, each group comprising a security association on the inbound security association between the mobile communication terminal (4) and the gateway (2, 3) and another security association on the communications station. 响应使移动终端(4)的IP地址(MN Co @)变为新的IP地址(MN New Co @)的通信切换,移动终端更新其源于网关(2、3)的入站安全关联,由此其可以接收发送给其的分组,新的IP地址(MN New Co @)作为目标。 In response to mobile terminal (4) the IP address (MN Co @) becomes the new IP address (MN New Co @) communication handover, the mobile terminal updates its inbound security association from the gateway (2, 3), the where it can receive packets sent to it, the new IP address (MN new Co @) as a target. 通过作为目标的归属代理(5),其在安全隧道(20′)中将第一信令消息发送到网关(2、3),第一信令消息以安全的形式向归属代理(5)指出了新的IP地址(MN New Co@)。 By the target home agent (5), which will secure tunnel (20 ') a first signaling message sent to the gateway (2, 3), a first signaling message to the home agent secure form (5) noted a new IP address (MN new Co @). 源于移动终端(4)的网关(2、3)的入站安全关联接受第一信令消息,而不检查其源地址。 Inbound security association from the gateway (2, 3) the mobile terminal (4) accepts the first signaling message without checking its source address. 网关(2、3)在专用网络(1)中将第一信令消息传递到归属代理(5),归属代理(5)检查第一信令消息的有效性,并且如果其是有效的,则更新其地址数据并向网关(2、3)发送指出了新的地址(MN New Co @)的第二信令消息。 Gateway (2, 3) in the private network (1) in the first signaling message is transmitted to the home agent (5), a home agent (5) checks the validity of the first signaling message, and if it is valid, update their address data to the gateway (2, 3) send pointed out that a new address (MN new Co @) of the second signaling message. 网关(2、3)响应所指出的新的地址(MN New Co @)更新同移动终端(4)的出站安全关联。 Outbound security association gateway (2, 3) in response to the indicated new address (MN New Co @) update with a mobile terminal (4). 优选地,移动终端(4)和网关(2、3)之间的通信根据IPsec,并且在隧道模式中使用了封装安全载荷协议。 Preferably, the communication between the mobile terminal (4) and the gateway (2, 3) According to the IPsec, and Encapsulating Security Payload protocol used in tunnel mode. 优选地,在第二信令消息中包括关于移动节点(4)的注册应答。 Preferably, a registration reply for the mobile node comprises (4) in the second signaling message.

Description

专用网络和漫游移动终端之间的通信 Communication between a private network and a roaming mobile terminal

技术领域 FIELD

本发明涉及专用网络和漫游移动终端之间的通信。 The present invention relates to communication between a private network and a roaming mobile terminal. 背景技术 Background technique

许多机构利用专用网络,其同专用网络外部的终端的通信通过安全网关,该安全网关使用包括防火墙的技术保护该专用网络。 Many organizations utilize private networks, whose communications with the private network terminal through the external security gateway includes a firewall using the secure gateway in the art protect the private network.

在设计信息基础设施时,专用企业信息的保护具有最大的重要性。 In the design of information infrastructure, the protection of private corporate information utmost importance. 然而,隔离专用网络解决方案是昂贵的,并且不能快速地更新以适应业务需要的变化。 However, isolation private network solutions are expensive and can not be quickly updated to adapt to changing business needs. 另一方面,互联网是廉价的,但是自身不能确保私密性。 On the other hand, the Internet is cheap, but can not itself ensure privacy. 虚拟专用网络集合了应用于公网,特别是互联网的技术,以提供用于专用网络需求的解决方案。 Virtual private networks used in the collection of the public network, especially the Internet technology to provide solutions for the private network needs. 虚拟专用网络使用通过安全隧道的混淆,而非物理隔离,以保持通信的私密。 Virtual private network uses a secure tunnel through the confusion, rather than physical separation, to keep communications private.

因此,虚拟专用网络(VPN)能够使专用网络扩展为能够同漫游终端,即位于专用网络外部的终端,进行安全通信,该通信通过例如,互联网传递,并且可能在移动电话网络上传递。 Thus, a virtual private network (VPN) enables the same private network can be extended to a roaming terminal, which is located outside the private network terminal, secure communication, the communication by, for example, the Internet transmission, and may be transmitted over a mobile telephone network. 互联网使用网际协议(IP),而移动终端的通信常常使用移动互联网协议(MIP)。 Internet using the Internet Protocol (IP), the mobile communication terminal using a mobile Internet Protocol often (MIP).

可以预见到,虚拟专用网络的漫游使用将变得更重要和更频繁。 It is foreseen that roaming using virtual private networks will become more important and more frequent. 将需要通过企业VPN/防火墙结构向该频繁漫游的用户提供与固定漫游终端或偶然漫游终端相同的安全级别。 The need corporate VPN / firewall architecture frequently roaming users to provide the fixed or occasional roaming terminals roaming terminal the same level of security.

不同的通信和安全协议用于不同的网络。 Different communication and security protocols used in different networks. 互联网安全协议的示例是IPsec夫见范[S. Kent, R. A汰inson, "Security Architecture for the InternetProtocol", Internet Engineering Task Force (IETF), RFC 2401, November Examples of Internet security protocol is IPsec husband see Fan [S. Kent, R. A elimination inson, "Security Architecture for the InternetProtocol", Internet Engineering Task Force (IETF), RFC 2401, November

41998]。 41998]. 移动电话通信协议的示例是Mobile IPv4规范[C. Perkins, "IPMobility Support", RFC 2002, October 1996]和Mobile IPv6规范。 Examples of mobile telephone communication protocols are the Mobile IPv4 specification [C. Perkins, "IPMobility Support", RFC 2002, October 1996] and the Mobile IPv6 specification. 当VPN协议是IPsec Encapsulating Security Payload (IPsec封装安全载荷),并且移动协议是Mobile IP时,它们均在相同的IP层中实现,需要指定在同时需要时这两个协议必须如何相互作用。 When the VPN protocol is IPsec Encapsulating Security Payload (IPsec Encapsulating Security Payload), and the mobile protocol is Mobile IP, they are implemented in the same IP layer, the need to specify how these two protocols must interact at the same time when needed.

除了基本应用顺序(首先应用Mobile IP,或者首先应用IPsec)以外,整体解决方案还必须着眼于满足三个主要需要: In addition to the basic order of application other than (the first application of Mobile IP, or the first application IPsec), the overall solution must also focus on meeting three main need:

•安全性。 •safety. VPN基础设施可以支持Mobile-IP用户这一事实必须不能针对任何企业实体(企业网络以及移动用户或偶然漫游用户)产生新的安全漏洞。 Mobile-IP VPN user the fact that the infrastructure can support must not create new security vulnerabilities for any business entity (enterprise networks and roaming mobile users or occasional users). Mobile IP使能设备必须向移动用户提供如同它们物理位于企业网络中的相同的安全级别。 Mobile IP enabled devices must provide mobile users as if they are physically located at the same level of security in an enterprise network. 另一方面,Mobile IP实体必须受到企业安全基础设施(防火墙)的充分保护,并且Mobile IP的特殊安全机制必须不会干扰全局安全机制。 On the other hand, Mobile IP entities must be subject to corporate security infrastructure (firewalls) are adequately protected, and Mobile IP specific security mechanism must not interfere with global security mechanism.

•兼容性。 •compatibility. 能够实现Mobile IP和IPsec之间的最优化相互作用的解决方案必须避免大量修改协议规范。 It can be achieved between Mobile IP and IPsec interaction optimization solution must avoid heavily modified protocol specification. 由于使用了最优化的组合解决方案,因此必须使Mobile IP和IPsec协议的未来演变不是过于困难的。 Due to the use of a combination of optimized solutions, it is necessary to make the future of Mobile IP and IPsec protocol evolution is not too difficult. 最优地,该演变对于组合解决方案的使用应是透明的。 Optimally, the evolution using a combination of solution should be transparent.

"性能。本发明必须在切换质量方面致力于移动用户的特殊需要:切换必须尽可能快地进行。 . "Performance of the present invention must address specific needs of mobile users in terms of handover quality: the handover must be performed as quickly as possible.

用于虚拟专用网络的通信协议的一个示例是用于隧道模式的ESP(封装安全载荷)协议(S. Kent, R. Atkinson, "IP Encapsulating SecurityPayload", Internet Engineering Task Force (IETF), RFC 2406, November1998)。 One example of a communication protocol for a virtual private network is the ESP (Encapsulating Security Payload) protocol for tunneling mode (S. Kent, R. Atkinson, "IP Encapsulating SecurityPayload", Internet Engineering Task Force (IETF), RFC 2406, November1998). 最重要的特点如下: The most important features are as follows:

•全部的进入IP分组被封装为新的IP分组;内部(原始)源和目标地址不变。 • all of the IP packets are encapsulated into the new IP packet; inner (original) source and destination addresses remain unchanged.

. 全部的进入IP分组被加密,并且任选地(推荐)进行鉴权。 All entry IP packet is encrypted and optionally (recommended) for authentication. ESP隧道模式依据定义是单向对等协议。 ESP tunnel mode is by definition a unidirectional peer protocol. 发送者(加密并封装的一方)和接收者(拆封和解密的一方)必须共享密码密文(例如,用于加密/解密的密钥和算法)。 (One opened and decrypted) sender (one of the package and encrypted) and the recipient must share a cipher text (e.g., for encryption / decryption keys and algorithms). 安全参数的集合(协议、密钥、算法、 Set of security parameters (protocol, key, algorithm,

发送者地址、接收者地址、寿命、...)构成了所谓的IPsec安全关联(SA) 。 Sender address, recipient address, lifetime, ...) make up the so-called IPsec Security Association (SA). IPsec需要两个SA (SA组),以获得安全的单向通信:一个在发送者上并且一个在接收者上(其具有某些公共的参数,例如密钥)。 IPsec requires two SA (SA group), to obtain a secure one-way communication: on the one and a receiver (with some common parameters, such as a key) on the sender.

由于VPN通信是双向的(从移动节点(MN)到VPN网关以及从VPN网关到MN),因此需要两个SA组:第一SA组描述从MN到VPN网关的隧道,第二SA组描述从VPN网关到MN的隧道。 Because the VPN communication is bidirectional (from Mobile Node (MN) to VPN Gateway and from VPN Gateway to MN), two SA group is required: a first set of SA described tunnel from MN to VPN Gateway, the second group from the description SA VPN gateway to MN tunnel. 必须注意,名称"VPN网关"不是由协议指定的:VPN网关简单地是在企业网一侧终止所有针对/源自漫游移动节点的VPN安全隧道的拓扑实体。 It must be noted, the name "VPN Gateway" is not specified by the protocol: VPN Gateway is simply terminate all topological entities for / VPN secure tunnel from roaming mobile nodes in the network side of the business.

SA选择器被用于处理IPsec分组。 SA selectors are used to process IPsec packets. 基本上,SA选择器是由IPsec使用的参数,用于检查- Substantially, SA selectors are parameters used by IPsec, for checking -

.将在由特定的出站(outbound) SA定义的隧道上发送的分组,实际上合法地同该SA —起发送(例如,该分组的源和目标地址同该SA的源和目标地址匹配)。 The packet is sent on a tunnel defined by a particular SA outbound (outbound), practically with the legally SA - starting transmission (e.g., the packet's source and destination address match with the source and destination addresses SA,) . 该测试被称为"出站SA选择器检査"。 This test is called the "outbound SA selector check."

,从由特定的入站(inbound) SA定义的隧道接收的分组,实际上合法地同该SA —起被接收。 , Received from a tunnel defined by a particular packet SA inbound (inbound), with the SA is actually legitimate - from being received. (例如,该分组的源和目标地址同该SA的源和目标地址匹配)。 (E.g., the packet's source and destination address match with the source and destination addresses SA,). 该测试被称为"入站SA选择器检查"。 The test is called "SA selector check inbound."

必须注意,如上面的两个示例中说明的,在本发明中,将仅考虑源地址和目标地址,作为用于入站SA和出站SA的SA选择器。 It must be noted, as the two examples described above, in the present invention, will be considered only the source and destination addresses, as SA selectors for inbound and outbound SA SA.

两组方案致力于该情况:IPsec隧道在MIP隧道中 Two sets of programs dedicated to the situation: IPsec tunnel in the MIP tunnel

通过该组方案,在VPN网关和移动节点归属地址(Home Address)之间建立IPsec隧道。 By the set program, establishing an IPsec tunnel between the VPN gateway and the mobile node home address (Home Address). 外部归属代理。 External home agent. 归属代理置于IPsec网关和企业防火墙前面,艮P,在归属网络外部。 The home agent placed in front of the IPsec gateway and the corporate firewall, Gen P, outside the home network. 显然,存在严重的安全漏洞;主要的安全漏洞在于,在网络的边界处,归属代理不再受到公共保护(企业防火墙)机制的保护。 Clearly, there are serious security vulnerabilities; major security flaw that at the boundaries of the network, the home agent is no longer protected public protection (corporate firewall) mechanism being. 事实上,被置于网关外部的归属代理未受益于任何保护,并且变为容易的目标。 In fact, the home agent placed outside the gateway does not benefit from any protection and become an easy target. 在设计着眼于安全通信的VPN解决方案时,该类安全漏洞是不能被接受的。 In the design focused on secure communications VPN solution, type of security vulnerability is not acceptable.

另一问题源于隧道机制,其不能将MIP分组译成密码(IPsec隧道在MIP隧道内部)。 Another problem stems from the tunneling mechanism, it can not be translated into MIP packet password (IPsec tunnels inside the MIP tunnel). MIP报头是明文的,并且任何具有不良企图的攻击者将了解所有的报头区,例如移动节点的归属地址。 MIP header is in plain text and any attacker with a malicious intent to understand all of the header area, such as the home address of the mobile node. 因此,该解决方案不提供私密性,并且恶意节点可能跟踪移动节点的所有连续位置,这是通过其归属地址识别的。 Thus, this solution does not provide privacy and a malicious node might track all successive locations of a mobile node, which is identified by its home address.

MIP代理。 MIP proxy. 在草案(F. Adrangi, P. Iyer, "Mobile IPv4 Traversal acrossVPN or NAT & VPN Gateway", IETF work in progress draft-adrangi-mobileip-natvpn-traversal-01.txt, February 2002)中描述了该方案。 In the draft (F. Adrangi, P. Iyer, "Mobile IPv4 Traversal acrossVPN or NAT & VPN Gateway", IETF work in progress draft-adrangi-mobileip-natvpn-traversal-01.txt, February 2002) is described in the program. 其采取这样的形式,即创建新的实体,其被称为移动IP代理(MobileIPProxy),从移动节点的视角来看,其呈现为代理归属节点,并且相反地,归属代理将其视为移动节点。 It takes the form, that is, to create a new entity, which is called Mobile IP Agent (MobileIPProxy), from the perspective of the mobile node perspective, it appears as a proxy home node, and conversely, the home agent it as a mobile node . 该解决方案同样基于MIP隧道中的IPsec,其在私密性方面相比于如上文所述的IPsec中的MIP,具有更少的机密性。 This solution is also based on IPsec in MIP tunneling, which as described above is compared with IPsec in MIP in terms of privacy, with less confidentiality.

简单漫游处理需要MIP代理、VPN网关和归属代理之间的信令消息:MIP代理用作移动节点和归属代理(HA)之间的中继;其必须了解移动节点和HA之间的现存的保护,以唯一地传递有效请求。 Simple process requires the roaming signaling messages between the MIP proxy, VPN gateway and the home agent: the MIP proxy as a relay between the mobile node and the home agent (HA); it must understand the existing protection between the mobile node and HA to transfer a valid request uniquely. 其还同VPN网关相互作用,并且从通信节点到MN的公共分组进行大量的处理:其首先由HA进行MIP封装并传递到MIP代理。 It also interacts with the VPN gateway, and the large amount of processing packets from the CN to the MN common: it is first MIP encapsulated by the HA to the MIP proxy and passed. 然后MIP代理将其解封并且将其提供给VPN网关,以便于实现加密。 Then the MIP proxy decapsulates it and provides it to the VPN gateway in order to achieve encryption. VPN网关将加密分组发回到MIP代理,其再次将其封装为新的MIP分组。 VPN gateway will encrypt the packet back to the MIP proxy, which again will be packaged as new MIP packet. MIP代理位于受保护域外部的非保护区(demilitarized zone,DMZ)中,即,作为公司专用网络和外部公众网络之间的"中间区"而插入的小的网络。 MIP proxy is located under the non-protected area (demilitarized zone, DMZ) outside the protective portion, i.e., as the "intermediate region" between a company's private network and the outside public network and a small network inserted. DMZ中的机构的安全级别远低于企业网络。 DMZ security level in the organization is much lower than the corporate network. 防火墙必须不会干扰代理和归属代理之间的注册过程。 The firewall must not interfere with the registration process between the agent and the home agent. 该结构意味着可能的安全漏洞,原因在于,企业防火墙必须使MIP代理和归属代理之间的任何分组在无任何进一步的检查的情况下进行传递:如果攻击者可以设法获得对MIP代理的访问,则这可以容易地导致对整个企业网络的危害。 This structure means possible security holes because, corporate firewall must make any packets between the MIP proxy and the home agent passed without any further examination of the situation: If an attacker can try to gain access to the proxy MIP, this can easily cause harm to the entire enterprise network.

MIP隧道在IPsec隧道中 MIP tunnel in the IPsec tunnel

通过该组方案,在VPN网关和移动节点转交地址(Care-ofAddress)之间建立了IPsec隧道。 With this set of programs, an IPsec tunnel is established between the address (Care-ofAddress) in the VPN gateway and the mobile node to transmit.

瑞士( Switzerland )的伯尔尼大学(University of Bern )在www.iam.unibe.ch/~rvs/publications/secmip—gi.pdf中描述了IPsec隧道中包括MIP隧道的一个方案。 Switzerland (Switzerland) of the University of Bern (University of Bern) in www.iam.unibe.ch/~rvs/publications/secmip-gi.pdf described IPsec tunnel in a program including MIP tunnel. 在任何新的切换之前重置IPsec隧道。 IPsec tunnel is reset before any new handover. 当移动到新的网络时,须通过整个密钥分配处理将其重新建立。 When moving to a new network, through the whole key distribution process must be re-established. 该切换模式造成了许多秒的不可接受的延时,同传统的MIP需要不兼容。 The switching pattern causes unacceptable latency of many seconds, incompatible with the traditional need MIP.

关于该方案的另一问题在于,采取了这样的形式,即IPsec提供足够的保护,以及,作为结果,使鉴权失能,并且在MIP注册过程中重新进行保护。 Another problem on the program that has taken such a form, that IPsec provides adequate protection, and, as a result, the authentication disability, and re-protect the MIP registration process. 使针对归属代理的保护失能是一种选择,其没有真正地改善速度,并且需要专门用于'MIP-VPN用户的归属代理,以及其他的专门用于仍使用MIP保护的简单MIP用户的归属代理。 The home agent for the protection of disability is an option, it does not really improve speed and requires dedicated to 'MIP-VPN user's home agent, and other simple MIP users still use MIP dedicated to the protection of ownership proxy.

本发明致力于上面的和其他的问题。 The present invention addresses the above and other problems.

发明内容 SUMMARY

本发明提供了一种如权利要求中描述的用于通信的方法和装置。 The present invention provides a method and an apparatus for communication as described in the claims. 图l是移动虚拟专用网络规划(scenario)的示意图,图2是在ESP隧道模式中封装的数据分组的图示,图3是借助于示例给出的,根据本发明的一个实施例的专用网络和漫游移动终端之间的通信中的交换的流程图,和 Figure l is a plan diagram of a mobile virtual private network (Scenario) FIG 2 is an illustration of the encapsulated in ESP tunnel mode, data packets, Figure 3 is given by way of example, the private network in accordance with one embodiment of the present invention. and flow exchanged between the roaming mobile communication terminal, and

图4是在图3中说明的通信处理中用于接收注册请求的处理的流程图。 FIG 4 is a flowchart of a communication process illustrated in FIG. 3 for receiving a registration request.

具体实施方式 Detailed ways

图1示出了移动虚拟专用网络规划(scenario),其包括专用网络i,该专用网络l包括:安全网关,该安全网关包括VPN网关2和防火墙3;移动节点4,其位于专用网络l中;和归属代理5,其用于移动节点4。 FIG 1 shows a mobile virtual private network planning (Scenario), which comprises a private network i, the private network l comprising: a security gateway, the security gateway comprising a VPN gateway 2 and a firewall 3; the mobile node 4, which is located in a private network - l ; and the home agent 5 for the mobile node 4. 在图中示出的本发明的实施例特别适用于这样的情况,其中移动节点4能够在无线链路上通信,这改善了其在专用网络1内部和外部的漫游的能力,但是本发明的该实施例还适用于这样的情况,其中移动节点4仅在有线连接上通信。 In the drawings embodiments of the invention shown it is particularly suitable for a case where the mobile node 4 is capable of communicating over a wireless link, which improves its ability to roam in the inside and outside the private network 1, the present invention this embodiment is also applicable to a case where the mobile node 4 is only connected to the wired communications.

图1示出了这样的规划,其中本发明的该实施例的优点是特别显著的,其中移动节点4在专用网络1外部移动,首先移动到被访问网络6,其具有在Mobile IPV4协议下工作的外地代理7,使得网络6中的漫游移动节点4能够通过互联网8同专用网络1通信。 FIG 1 shows such a plan, wherein the advantage of this embodiment of the present invention is particularly remarkable where the mobile node 4 in the external mobile private network, first moves to a visited network 6 having a work at Mobile IPV4 protocol the foreign agent 7, so that the roaming mobile node 4 in the network 6 through the internet 8 with the private communications network 1. 在该规划中,漫游移动节点4随后移动到第二被访问网络9,其具有外地代理10,同样在Mobile IPV4下工作,用于通过互联网8同专用网络1通信。 In this plan, a roaming mobile node 4 then moves to a second visited network 9, having a foreign agent 10, also work in Mobile IPV4, for communicating with a private network through the Internet 8. 尽管本发明的该实施例通过Mobile IPv4协议工作,但是应当认识到,本发明还适用于其他的协议,特别是Mobile IPv6协议。 Although this embodiment of the present invention work by Mobile IPv4 protocols, it will be appreciated that the present invention is also applicable to other protocols, especially the Mobile IPv6 protocol.

当移动节点4在被访问网络6或9中漫游时,通过互联网8分别在IPsec和MIP隧道11和12中建立同专用网络1的通信。 When the mobile communication node 4, are established with a private network or when roaming in visited network 6 through the internet 8 in IPsec 9 and MIP tunnels 11 and 12 1. 更具体地,所使用的协议是图2中说明的封装安全载荷(ESP)协议。 More specifically, the protocol used is illustrated in Figure 2 Encapsulating Security Payload (ESP) protocol. 根据该协议,原始分组13包括原始IP报头14和数据15。 According to this protocol, the original packet 13 comprises an original IP header 14 and data 15. 分组13通过ESP报尾16加密,同时不会改变原始IP报头和目标地址。 13 packets encrypted by the ESP trailer 16, while not changing the original IP header and destination address. 加密分组通过ESP报头17进行封装,优选地,通过ESP鉴权18进行封装,并且在传输前同新的IP报头19组装。 By encrypted packet with the new IP header 19 before transmission assembly 17 ESP header encapsulated, preferably encapsulated by ESP authentication 18 and. 建立了安全关联组(security associationbundles),每个安全关联组包括出站和入站通信安全关联,用于在路径11和12上同VPN网关2通信。 Group security association is established (security associationbundles), each group comprising a security association outbound and inbound communication security association, in a communication path 11 and 12 with the VPN gateway 2. 安全关联选择器检查,有待使用每个出站安全关联定义的隧道进行发送的分组合法地通过该安全关联发送,并且,特别地,该分组的源和目标地址同该安全关联的源和目标地址匹配,该测试是出站SA选择器检査。 Security association selectors check, the tunnel using the security association to be defined for each outbound packet is transmitted by the legitimate transmitting security association, and, in particular, the packet source and destination addresses of the security association with the source and destination address match, the test is the outbound SA selector check. 接收自入站安全关联定义的隧道的分组通过该安全关联检测接收的合法性,并且,特别地,该分组的源和目标地址同该安全关联的源和目标地址匹配,该测试是入站SA选择、器检査。 Receiving a security association is defined from inbound packets received through the tunnel detection legitimacy security association, and, in particular, the packet source and destination addresses of the security association with the source and destination addresses match, the test inbound SA Alternatively, checks.

在本发明的该实施例中,VPN网关2的入站安全关联不包含移动节点4的IP地址作为源地址,而是包含通配符(*)。 In this embodiment of the present invention, the inbound security association of the VPN gateway 2 does not contain the IP address of the mobile node 4 as source address but includes wildcard (*). 这允许VPN网关2接收并传递来自移动节点4的分组,无论其可能使用什么样的转交地址。 This allows the VPN gateway 2 receives and transmits packets from the mobile node 4, which may be used regardless of what care-of address. 应当注意,这同IPsec协议不是矛盾的,这是因为通配符的值由该协议批准用于安全关联中的源地址选择器。 It should be noted that this is not contradictory with IPsec protocol, since the value of the agreement approved by the wildcard for the source address of the security association selectors. 隧道顺序是,IPsec隧道中的MIP隧道,该IPsec隧道位于VPN网关2和移动节点4之间,使用移动节点转交地址作为端点。 Tunnel order is, MIP tunnel in the IPsec tunnel, the VPN gateway IPsec tunnel located between the mobile node 2 and 4, using the mobile node care-of address as end point.

在图3中示出了在移动节点4漫游时关于通信的处理,其中出站和入站所牵涉的是移动节点4处的分组。 In FIG 3 shows the processing regarding the communication when the mobile node 4 is roaming, wherein the outbound and inbound packet is involved at the mobile node 4. 开始,说明了关于这样的情况的IPsec隧道,其中在移动节点4的当前转交地址处建立了通信。 Start been described IPsec tunnel on a case where the mobile node is currently established communication at the care-of address 4. 出站IPsec隧道20在移动节点4处具有这样的安全关联,其具有当前移动节点的转交地址作为源地址,并且具有VPN网关2的地址作为目标地址;并且,在VPN网关2处具有这样的安全关联,其具有通配符作为源地址,并且具有VPN网关2的地址作为目标地址。 The outbound IPsec tunnel 20 has a security associated with such at the mobile node 4, which care-of address having the current mobile node as the source address, and having an address of the VPN gateway 2 as destination address; and, having such a security at the VPN gateway 2 associated with a wildcard as a source address, and having an address of the VPN gateway 2 as destination address. 开始的入站IPsec隧道在移动节点4处具有这样的安全关联,其具有VPN网关2的地址作为源地址,并且具有移动节点4的当前转交地址作为目标地址;并且,在VPN网关2处具有这样的安全关联,其具有VPN网关地址作为源地址,并且具有移动节点4的转交地址作为目标地址。 Start inbound IPsec tunnel mobile node 4 has a security association such that it has a VPN address of the gateway 2 as source address, and having a current care-of address as the destination address of the mobile node 4 in; and, has at the VPN gateway 2 security association, having the VPN gateway address as the source address and the care-of address with the mobile node 4 as destination address.

当移动节点在22中从一个被访问网络移动到另一个时,例如,从被访问网络6移动到被访问网络9,移动节点4例如,由进入代理广告认识到其位置已改变。 When the mobile node 22 moves from one visited network to another, e.g., from 9 visited network visited network 6 to the mobile, the mobile node 4, for example, by the incoming agent advertisement appreciated that its position has changed. 随后其设置新的转交地址,其在新的被访问网络7中是可路由的。 Subsequently provided new care-of address, which is routed in the new visited network 7. 移动节点4包含VPN客户端软件,其例如,响应网络选择中间件,或者通过监视出站分组的源地址,响应移动节点位置的变化。 The mobile node 4 contains VPN client software, for example, in response to network selection middleware or by monitoring the source address of an outbound packet, the mobile node in response to a change position. 然后,VPN客户端软件动态地改变移动节点4上的入站安全关联,由此其目标地址是移动节点的新的转交地址,入站IPsec隧道21变为临时入站IPsec隧道23。 Then, VPN client software changes dynamically the inbound security association on the mobile node 4, whereby the objective is to address the new care-of address of the mobile node, the inbound IPsec tunnel 21 becomes temporary inbound IPsec tunnel 23. 这样,移动节点4将能够接收由VPN网关2安全发送到其新的转交地址的分组;否则,由于不与前面的入站IPsec隧道21中包括的目标地址匹配,因此分组将被丢下。 Thus, the mobile node 4 will be able to receive the transmission from the secure VPN gateway 2 to its new care-of address packet; otherwise, due to the earlier inbound IPsec tunnel 21 includes a destination address match, so the packet will be dropped. 相似地,VPN客户端软件动态地改变移动节点4上的出站安全关联,由此其源地址是移动节点的新的转交地址,出站IPsec隧道20变为出站IPsec隧道20';否则,由于不与前面的出站IPsec隧道20中包括的源地址匹配,因此移动节点4将不能够发送外出分组。 Similarly, VPN client software changes dynamically the outbound security association of the mobile node on the 4, whereby the source address is the new care-of address of the mobile node, the outbound IPsec tunnel 20 becomes the outbound IPsec tunnel 20 '; otherwise, Since the source address is not in front of the outbound IPsec tunnel 20 comprises a matching, the mobile node 4 would not be able to send outgoing packets.

然后,移动节点4向其归属代理发送信令消息,以通知该归属代理其新的位置,该信令消息通过出站IPsec隧道20'和VPN网关2。 Then, the mobile node 4 sends a signaling message to its home agent to inform the home agent of its new location, the signaling message through the outbound IPsec tunnel 20 'and the VPN gateway 2. 该信令消息具有注册请求的形式,其中所使用的协议是Mobile IPV4,如本发明的实施例中的。 The signaling message has the form of a registration request, wherein the protocol used is Mobile IPV4, as in the embodiment of the present invention.

在步骤24中在VPN网关2处接收信令消息。 In step receiving signaling messages at 2 VPN gateway 24. 关于出站隧道20'的VPN网关中的SA选择器未拒绝该分组,这是因为源地址是通配符字段且因此未验证源地址,并且将该分组传递到归属代理5。 On the outbound tunnel 20 'in the VPN gateway SA selector does not reject the packet, since the source address is a wild card field and the source address is therefore not verified and the packet is transmitted to the home agent 5. 在步骤25中,归属代理5接收并处理来自移动节点4的注册请求消息,其指出了新的转交地址。 In step 25, the home agent 5 receives and processes the registration request message from the mobile node 4, which indicates the new care-of address. 如果注册请求是有效的,则归属代理5向VPN网关2发送安全信息更新消息(SIU),其包含用于更新VPN网关上的临时IPsec隧道23的安全关联的命令。 If the registration request is valid, the update message to the home agent 5 VPN gateway 2 transmits the security information (the SIU), which contains commands for updating the temporary IPsec tunnel gateway on the VPN security association 23. 在VPN网关2处由后台程序,例如,也就是说,向系统提供服务的背景程序,处理该SIU消息。 The VPN gateway 2, for example, that is, to provide a background to the system by the program and services daemon processes the SIU message.

VPN网关2响应SIU消息,将其关于临时入站IPsec隧道23的安全关联更新为关于新的IPsec隧道26的安全关联,其具有移动节点4的新的转交地址作为目标地址。 SIU message the VPN gateway 2 response, which is on interim inbound security association of the IPsec tunnel 23 to update the security association of the new IPsec tunnel 26, having a new care-of address of the mobile node 4 as destination address. 该更新是在向移动节点4发送任何分组之前,特别是在注册应答之前执行的。 This is updated before sending any packets to the mobile node 4, in particular before the acknowledgment of the registration. 在本发明的优选实施例中,从归属代理5到VPN网关2的SIU消息包括针对移动节点4的注册应答。 In a preferred embodiment of the present invention, from the home agent 5 to the SIU message the VPN gateway 2 includes the registration reply for the mobile node 4.

应当认识到,归属代理1的该具体程序仅在通过诸如2的VPN网关接收到注册请求时触发,对应于移动节点4的位置位于专用网络1外部。 It should be appreciated that the home agent of the particular program is triggered only when a registration request is received through a VPN gateway such as 2, corresponding to the location of the mobile node 4 outside the private network 1 is positioned. 如果移动节点位于专用网络1内部,并且因此不使用VPN服务,则归属代理5将根据正常程序通过正常注册应答来响应。 If the mobile node is inside the private network 1, and therefore not using the VPN service, the home agent 5 would respond according to the normal registration reply by the normal procedure.

在步骤27中,VPN网关2使用新建立的入站IPsec隧道26将注册应答传递到移动节点4,并且使用隧道26将所有另外的数据分组发送到新的转交地址,直至另外的通知。 In step 27, VPN gateway 2 uses inbound IPsec tunnel 26 to a newly established registration reply is transmitted to the mobile node 4, and sends the packet 26 all further data to the new care-of address using the tunnel until further notice.

如果在步骤25中,注册请求在归属代理5处未成功,则该处理不会受到不可挽回的危害。 If, at step 25, the registration request in the home agent 5 is not successful, then the process will not suffer irreparable harm. 在移动节点4处将不会接收到注册应答,其将发送另一注册请求。 4 will not register the received reply to the mobile node, which sends another registration request. 如果归属代理5继续不接受注册请求,则移动节点4将最终放弃尝试,并且建立关于新的转交地址的新的隧道,而不利用本发明的该实施例的处理。 If the home agent 5 continues not to accept the registration requests, the mobile node 4 will ultimately abandon attempts, and establish a new tunnel on the new care-of address, without using the process of this embodiment of the present invention. 该情况在移动IP规划中是固有的。 The situation is inherent in mobile IP planning.

图4说明了在上面的处理过程中由归属代理5采用的程序。 Figure 4 illustrates the procedure in the above process employed by the home agent 5. 该程序开始于28,并且在步骤29中,自移动节点24接收到具有注册请求形式的输入。 The program begins at 28, and in step 29, from the mobile node 24 has received the registration request in the form of input. 在步骤30中检查该注册请求是否有效,并且如果归属代理5不接受该注册,则该程序终止于31。 In step 30 checks whether the registration request is valid, and if the home agent 5 does not accept the registration, the routine terminates at 31. 如果归属代理5接受该注册请求,则在32中检查该注册请求是否是通过诸如2的VPN网关接收的。 If the home agent 5 receives the registration request, it is checked 32 whether the registration request by the VPN gateway 2 as received. 如果不是,则建立注册应答,并且在步骤33中在专用网络1 If not, the registration response is established, and in step 33 in the private network 1

上将其直接发送到移动节点4。 It will send it directly to the mobile node 4. 如果该注册请求是通过诸如2的VPN 网关接收的,则在34中建立关于移动节点4的注册应答。 If the registration request was received through a VPN gateway such as 2, is established on a registered mobile node 4 in response to 34. 然后,在35 中,该注册应答包括在由归属代理35生成的新的分组中,并且该分组还包含移动节点4的前面的转交地址和新的转交地址。 Then, at 35, it is included in the registration response packet by the new generated home agent 35, and the packet further comprises front of the mobile node 4 Care-of Address and the new care-of address. 随后在步骤36中将该分组发送到VPN网关2,并且在31中该程序再次终止。 Subsequently, in step 36 it sends the packet to the VPN gateway 2 and the routine terminates again at 31.

Claims (5)

1. 一种在专用网络(1)和漫游移动终端(4)之间通信的方法,所述专用网络(1)包括用于所述漫游移动终端的归属代理(5)和网关(2、3),所述通信通过所述网关(2、3)传递并且所述网关(2、3)提供了关于所述专用网络(1)的安全保护,所述通信的协议包括安全关联组,每个安全关联组包括所述漫游移动终端(4)和所述网关(2、3)之间的关于入站通信的安全关联和关于出站通信的另一安全关联,其特征在于,响应于使所述漫游移动终端(4)的IP地址(MN Co@)变为新的IP地址(MN New Co@)的通信切换,所述漫游移动终端更新其源于所述网关(2、3)的入站安全关联,由此其可以接收发送给其的分组,所述新的IP地址(MN New Co@)作为目标,所述漫游移动终端(4)通过把所述归属代理(5)作为目标,在安全隧道(20′)中将第一信令消息发送到所述网关(2、3),所述第一信令消息以安全的形式向 1. A method of a private network (1) and the communication between the roaming mobile terminal (4), said private network (1) comprises a home agent for said roaming mobile terminals (5) and the gateway (2, 3 ), the communication is provided by the gateway (2, 3) and passing said gateway (2, 3) with respect to the security of the private network (1), the protocol of the communication including security association group, each the group security association comprises roaming and another security association between the mobile terminal (4) and said gateway (2, 3) for inbound communication security association on on outbound traffic, wherein, in response to the enable IP address (MN Co @) of said roaming mobile terminals (4) becomes the new IP address (MN new Co @) communication handover, the mobile terminal updates its roaming from said gateway (2, 3) into the security associated station, whereby it can receive packets sent to it, said new IP address (MN new Co @) as a target, a roaming mobile terminal (4) via said home agent (5) as a target, transmitting secure tunnel (20 ') in the first signaling message to said gateway (2, 3), said first signaling message to a secure form 述归属代理(5)指出了所述新的IP地址(MN New Co@),源于所述漫游移动终端(4)的所述网关(2、3)的入站安全关联接收所述第一信令消息,而不检查其源地址,所述网关(2、3)在所述专用网络(1)中将所述第一信令消息传递到所述归属代理(5),所述归属代理(5)检查所述第一信令消息的有效性,并且如果其是有效的,则更新其地址数据并向所述网关(2、3)发送指出了所述新的地址(MN New Co@)的第二信令消息,并且所述网关(2、3)响应于所指出的新的地址(MN New Co@)更新其同所述漫游移动终端(4)的出站安全关联。 Said home agent (5) indicates the IP address of the new (MN New Co @), the security association from said gateway (2, 3) of the roaming mobile terminal (4) receiving said first inbound signaling message without checking its source address, said gateway (2, 3) in the private network (1) in the first signaling message to said home agent (5), said home agent effectiveness (5) checking the first signaling message, and if it is valid, updates its address data and sends the new noted address (MN new Co @ said gateway (2, 3) ) a second signaling message and the gateway (2, 3) updates its security association with the roaming mobile terminal (4) of the outbound response to the new address indicated (MN new Co @).
2. 权利要求1的方法,其中所述漫游移动终端(4)和所述网关(2、 3)之间的通信遵循IPsec协议规范。 The method of claim 1, wherein the communication between the roaming mobile terminals (4) and said gateway (2, 3) follows the IPsec protocol specification.
3. 权利要求2的方法,其中所述网关(2、 3)和所述漫游移动终端(4)之间的通信遵循隧道模式中使用的封装安全载荷协议。 The method of claim 2, wherein the Encapsulating Security Payload protocol for communication between the gateway (2, 3) and said roaming mobile terminals (4) used in tunnel mode follows. 2 2
4. 前面任何一项权利要求的方法,其中在所述第二信令消息中包括关于所述漫游移动终端(4)的注册应答。 The method of any of preceding claims 4, wherein the registration reply including with respect to the roaming mobile terminal (4) in the second signaling message.
5. —种用于在专用网络(1)和漫游移动终端(4)之间通信的系统,所述专用网络(1)包括用于所述漫游移动终端的归属代理(5) 和网关(2、 3),所述通信通过所述网关(2、 3)传递并且所述网关(2、 3)提供了关于所述专用网络(1)的安全保护,所述通信的协议包括安全关联组,每个安全关联组包括所述漫游移动终端(4)和所述网关(2、 3)之间的关于入站通信的安全关联和关于出站通信的另一安全关联,所述系统包括:这样的装置,用于响应于使所述漫游移动终端(4)的IP地址(MN Co@)变为新的IP地址(MNNewCo@)的通信切换,供所述漫游移动终端更新其源于所述网关(2、 3)的入站安全关联,由此所述漫游移动终端(4)可以接收发送给其的分组,所述新的IP地址(MN New Co@)作为目标;供所述漫游移动终端(4)通过把所述归属代理(5)作为目标, 在安全隧道(20')中 5. - species for the private network (1) and a roaming mobile communication system between a terminal (4), said private network (1) comprises a home agent for said roaming mobile terminals (5) and the gateway (2 , 3), the communication transmitted through the gateway (2, 3) and said gateway (2, 3) provided on said private network security protection (1) comprises a security protocol of the communication link group, each group comprises a security association between the roaming mobile terminal (4) and said gateway (2, 3) security association inbound communication and another security association on the communication station, the system comprising: this means, responsive to the roaming mobile terminal (4) the IP address (MN Co @) becomes the new IP address (MNNewCo @) handover communication for the mobile terminal roaming from the update associated inbound security gateway (2, 3), whereby the roaming mobile terminal (4) may receive packets sent to it, said new IP address (MN new Co @) as a target; for the roaming mobile terminal (4) via said home agent (5) as a target, in a secure tunnel (20 ') in 第一信令消息发送到所述网关(2、 3)的装置, 所述第一信令消息以安全的形式向所述归属代理(5)指出了所述新的IP地址(MNNewCo@);供源于所述漫游移动终端(4)的所述网关(2、 3)的入站安全关联接收所述第一信令消息,而不检查其源地址的装置;供所述网关(2、 3)在所述专用网络(1)中将所述第一信令消息传递到所述归属代理(5)的装置;供所述归属代理(5)检查所述第一信令消息的有效性,并且如果其是有效的,则更新其地址数据并向所述网关(2、 3)发送指出了所述新的地址(MNNewCo@)的第二信令消息的装置;和供所述网关(2、 3)响应于所指出的新的地址(MNNewCo@) 更新其同所述漫游移动终端(4)的出站安全关联的装置。 A first signaling message to said gateway device (2, 3), said first signaling message to the security of the form indicated new IP address (MNNewCo @) to the home agent (5); for inbound security association from said gateway (2, 3) of the roaming mobile terminal (4) receiving said first signaling message without checking its source address of the device; for the gateway (2, 3) in the private network (1) in the first signaling message is transmitted to said home agent (5); and for the effectiveness of the home agent (5) checks the first signaling message and if it is valid, updates its address data and sends the new noted address (MNNewCo @) means the second signaling message gateway (2, 3); and for the gateway ( 2, 3) in response to the update of the same mobile terminal (4) of the safety device associated outbound roaming in the new address indicated (MNNewCo @).
CN 200480007203 2003-03-27 2004-03-15 Communication between a private network and a roaming mobile terminal CN100525300C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP03290770.1 2003-03-27
EP20030290770 EP1463257B1 (en) 2003-03-27 2003-03-27 Communication between a private network and a roaming mobile terminal

Publications (2)

Publication Number Publication Date
CN1762140A CN1762140A (en) 2006-04-19
CN100525300C true CN100525300C (en) 2009-08-05

Family

ID=32799149

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200480007203 CN100525300C (en) 2003-03-27 2004-03-15 Communication between a private network and a roaming mobile terminal

Country Status (9)

Country Link
US (1) US7516486B2 (en)
EP (1) EP1463257B1 (en)
JP (1) JP4163215B2 (en)
KR (1) KR100679882B1 (en)
CN (1) CN100525300C (en)
AT (1) AT329443T (en)
DE (1) DE60305869T2 (en)
ES (1) ES2264756T3 (en)
WO (1) WO2004086718A1 (en)

Families Citing this family (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NO317294B1 (en) * 2002-07-11 2004-10-04 Birdstep Tech Asa Seamless IP mobility across security boundaries
WO2005046126A1 (en) 2003-10-31 2005-05-19 Juniper Networks, Inc. Secure transport of multicast traffic
TWI236255B (en) * 2003-12-15 2005-07-11 Ind Tech Res Inst System and method for supporting inter-NAT-domain handoff within a VPN by associating L2TP with mobile IP
US7620979B2 (en) 2003-12-22 2009-11-17 Nokia Corporation Supporting mobile internet protocol in a correspondent node firewall
JP4654006B2 (en) 2004-11-16 2011-03-16 パナソニック株式会社 Server device, portable terminal, communication system, and program
US7792072B2 (en) * 2004-12-13 2010-09-07 Nokia Inc. Methods and systems for connecting mobile nodes to private networks
US20060230445A1 (en) * 2005-04-06 2006-10-12 Shun-Chao Huang Mobile VPN proxy method based on session initiation protocol
US20070198837A1 (en) * 2005-04-29 2007-08-23 Nokia Corporation Establishment of a secure communication
US20060248337A1 (en) * 2005-04-29 2006-11-02 Nokia Corporation Establishment of a secure communication
CN1874343B (en) * 2005-06-03 2010-04-21 华为技术有限公司 Method for creating IPSec safety alliance
US8856311B2 (en) 2005-06-30 2014-10-07 Nokia Corporation System coordinated WLAN scanning
WO2007027958A1 (en) * 2005-08-29 2007-03-08 Junaid Islam ARCHITECTURE FOR MOBILE IPv6 APPLICATIONS OVER IPv4
US8316226B1 (en) * 2005-09-14 2012-11-20 Juniper Networks, Inc. Adaptive transition between layer three and layer four network tunnels
DE102006014350A1 (en) * 2005-11-04 2007-05-10 Siemens Ag Method and server for subscriber-specific activation of network-based mobility management
GB2434506A (en) * 2006-01-18 2007-07-25 Orange Personal Comm Serv Ltd Providing a mobile telecommunications session to a mobile node using an internet protocol
CN100488284C (en) 2006-01-26 2009-05-13 华为技术有限公司 Roaming user data route optimizing method in 3GPP evolution network
CN100466816C (en) 2006-03-21 2009-03-04 华为技术有限公司 Cell switching method based on cell separate offset
US20070254634A1 (en) * 2006-04-27 2007-11-01 Jose Costa-Requena Configuring a local network device using a wireless provider network
US8296839B2 (en) * 2006-06-06 2012-10-23 The Mitre Corporation VPN discovery server
US8174995B2 (en) * 2006-08-21 2012-05-08 Qualcom, Incorporated Method and apparatus for flexible pilot pattern
KR100973118B1 (en) 2006-08-21 2010-07-29 콸콤 인코포레이티드 Method and apparatus for internetworkig authorization of dual stack operation
US8978103B2 (en) * 2006-08-21 2015-03-10 Qualcomm Incorporated Method and apparatus for interworking authorization of dual stack operation
CN100452799C (en) 2006-09-19 2009-01-14 清华大学 Method for preventing forgery of source address based on signature authentication inside IPv6 sub network
US8379638B2 (en) * 2006-09-25 2013-02-19 Certes Networks, Inc. Security encapsulation of ethernet frames
DE102006046023B3 (en) 2006-09-28 2008-04-17 Siemens Ag Method for optimizing NSIS signaling in MOBIKE-based mobile applications
WO2008073735A2 (en) * 2006-12-08 2008-06-19 Adaptix, Inc. System and method for managing wireless base station handoff information
CN101198156B (en) 2006-12-08 2012-10-31 昂达博思公司 System and method for managing radio base station switch information
JP5192032B2 (en) 2007-05-04 2013-05-08 ノーテル・ネットワークス・リミテッド Negotiation of different mobile IP delivery styles
EP2007111A1 (en) * 2007-06-22 2008-12-24 France Telecom Method for filtering packets coming from a communication network
JP4430091B2 (en) * 2007-08-17 2010-03-10 富士通株式会社 Packet routing control method, packet routing control program, terminal device, and VPN server
US20090129301A1 (en) * 2007-11-15 2009-05-21 Nokia Corporation And Recordation Configuring a user device to remotely access a private network
CA2714280A1 (en) * 2008-02-08 2009-08-13 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for use in a communications network
US8209749B2 (en) * 2008-09-17 2012-06-26 Apple Inc. Uninterrupted virtual private network (VPN) connection service with dynamic policy enforcement
US8719337B1 (en) 2009-04-27 2014-05-06 Junaid Islam IPv6 to web architecture
KR101382620B1 (en) * 2009-10-14 2014-04-10 한국전자통신연구원 SYSTEM AND METHOD FOR DECREASING Power Consumption
CN102088438B (en) * 2009-12-03 2013-11-06 中兴通讯股份有限公司 Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client
US8443435B1 (en) 2010-12-02 2013-05-14 Juniper Networks, Inc. VPN resource connectivity in large-scale enterprise networks
US9491686B2 (en) * 2011-07-28 2016-11-08 Pulse Secure, Llc Virtual private networking with mobile communication continuity
US9608962B1 (en) 2013-07-09 2017-03-28 Pulse Secure, Llc Application-aware connection for network access client
CN107579932A (en) * 2017-10-25 2018-01-12 北京天融信网络安全技术有限公司 A kind of data transmission method, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1176781A2 (en) 2000-07-26 2002-01-30 Fujitsu Limited VPN system in mobile IP network, and method of setting VPN
CN1353559A (en) 2001-11-13 2002-06-12 西安西电捷通无线网络通信有限公司 Cross-IP internet roaming method for mobile terminal
CN1362819A (en) 2000-12-26 2002-08-07 Lg电子株式会社 Mobile network agreenment business system and method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4038732A1 (en) * 1990-12-05 1992-06-11 Henkel Kgaa Materials and / or components modified by synthetic polymer compounds and dry-based method and method of manufacturing them
US6141749A (en) * 1997-09-12 2000-10-31 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with stateful packet filtering
US6571289B1 (en) * 1998-08-03 2003-05-27 Sun Microsystems, Inc. Chained registrations for mobile IP
US6823386B1 (en) * 1999-02-25 2004-11-23 Nortel Networks Limited Correlating data streams of different protocols
KR100464374B1 (en) * 2000-11-01 2004-12-31 삼성전자주식회사 System and method for giving mobile ip of mobile terminal
US6954790B2 (en) * 2000-12-05 2005-10-11 Interactive People Unplugged Ab Network-based mobile workgroup system
US7036143B1 (en) * 2001-09-19 2006-04-25 Cisco Technology, Inc. Methods and apparatus for virtual private network based mobility

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1176781A2 (en) 2000-07-26 2002-01-30 Fujitsu Limited VPN system in mobile IP network, and method of setting VPN
CN1362819A (en) 2000-12-26 2002-08-07 Lg电子株式会社 Mobile network agreenment business system and method
CN1353559A (en) 2001-11-13 2002-06-12 西安西电捷通无线网络通信有限公司 Cross-IP internet roaming method for mobile terminal

Also Published As

Publication number Publication date
KR100679882B1 (en) 2007-02-07
KR20050122221A (en) 2005-12-28
DE60305869T2 (en) 2006-10-05
US20060185012A1 (en) 2006-08-17
EP1463257B1 (en) 2006-06-07
US7516486B2 (en) 2009-04-07
JP2006514815A (en) 2006-05-11
AT329443T (en) 2006-06-15
DE60305869D1 (en) 2006-07-20
ES2264756T3 (en) 2007-01-16
EP1463257A1 (en) 2004-09-29
WO2004086718A1 (en) 2004-10-07
CN1762140A (en) 2006-04-19
JP4163215B2 (en) 2008-10-08

Similar Documents

Publication Publication Date Title
US7213263B2 (en) System and method for secure network mobility
Frankel et al. IP security (IPsec) and internet key exchange (IKE) document roadmap
Gill et al. The generalized TTL security mechanism (GTSM)
Seo et al. Security architecture for the internet protocol
Patel et al. Securing L2TP using IPsec
CA2413944C (en) A zero-configuration secure mobility networking technique with web-base authentication method for large wlan networks
CN1836419B (en) Method, system and apparatus to support mobile IP version 6 services in CDMA system
Henderson End-host mobility and multihoming with the host identity protocol
US7286671B2 (en) Secure network access method
RU2322766C2 (en) Method, system and devices for maintaining services of mobile communications ip protocol, version 6
US6976177B2 (en) Virtual private networks
JP3557056B2 (en) Packet inspection device, the mobile computing device and a packet transfer method
US20030031151A1 (en) System and method for secure roaming in wireless local area networks
JP2007535225A (en) Mobile IP extension to support private home agents
KR101165825B1 (en) Method and apparatus for providing low-latency secure communication between mobile nodes
JP2007522744A (en) Addressing method and apparatus for establishing a Host Identity Protocol (HIP) connection between a legacy node and a HIP node
US20020042875A1 (en) Method and apparatus for end-to-end secure data communication
US7389412B2 (en) System and method for secure network roaming
JP3457645B2 (en) The method of packet authentication when network address translation and protocol translation exists
US20020157024A1 (en) Intelligent security association management server for mobile IP networks
US20060182103A1 (en) System and method for routing network messages
Davies et al. IPv6 transition/co-existence security considerations
EP1575238A1 (en) IP mobility in mobile telecommunications system
EP1495621B1 (en) Security transmission protocol for a mobility ip network
JP2007501540A (en) Secret protection and seamless WAN-LAN roaming

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
C41 Transfer of patent application or patent right or utility model
ASS Succession or assignment of patent right

Owner name: MOTOROLA MOBILE CO., LTD.

Free format text: FORMER OWNER: MOTOROLA INC.

Effective date: 20110107

C56 Change in the name or address of the patentee
C41 Transfer of patent application or patent right or utility model